How to keep your startup’s cloud secure when your security team is just you
Infrastructure security can be tough, especially at startups. Often resources are thin and there aren’t enough hours in the day to spend as much time as we’d like on security. Quite often as DevOps engineers at startups, we’re expected to be experts in security, and that often isn’t the case. We know to keep our ports closed, and to operate on the principle of least privilege, but with infrastructure as code introducing a vulnerability is as easy as a missed line. In startup environments where things move fast, it can be easy to create an insecure cloud, especially when operating by yourself.
In this talk we’ll review the concepts of Static and Dynamic security testing, and how the both can be combined to implement into your deployment pipeline. We’ll go over open source and managed tools that can assist you in the transition to DevSecOps and continuous security, as well as give examples of how to realistically implement this at your startup, and how to explain the business value of continuous security to your leadership team.
At the end of the talk, you’ll have a clear understanding of the landscape of tools you can use today to help you secure your infrastructure, an understanding of why they can be valuable, and how to explain the business value of them to a non-technical leadership team.